Virginia Tech

1
Strong Authentication Technologies

Secure Enterprise Technology Initiatives Internet
Application Development
e-Provisioning Group
Frank Galligan frankg_at_vt.edu
Bahaa Al-Amood balamood_at_vt.edu
2
Agenda

Demo Hardware/Software Resources Overview Revie
w of Technologies Smart Cards/Tokens Symmetric
Key/Public Key Cryptography Digital Signature PKI
Infrastructure Open Discussion How does it
impact us? Q and A
3
HP Pavilion ze5600
Dual Boot Win XP Pro Ver 2002, SP1 GNU/Linux 2.4
Meganet 128MB Flash Storage USB VME BioDrive
Authenex A-key 16K V2 USB Token
4
Dell Latitude C840
Dual Boot Win XP Pro Ver 2002, SP1 GNU/Linux 2.4
Serial, Parallel, USB Interfaces
Dallas Semiconductor
USB iButton Smart Token
Schlumberger CyberFlex Access 16K Smart Card
Blue Dot Connector
Gemplus GemPC400 PCMCIA Smart Card Reader
5
Sun-Blade 150
Sun-Blade Sunrise
Solaris 9
Schlumberger CyberFlex Access 16K Smart Card
Integrated Card Reader
6
Smart Cards and Tokens
Dallas Semiconductor Java-Powered Cryptographic
iButtons (55 15 Blue Dot Connector)
HID Proximity Cards
Meganet 128MB Flash Storage USB VME
BioDrive (177)
Axalto eGate 32K USB
Axalto (Schlumberger) CyberFlex Access 16K
(20ea for 64K card)
7
Smart Card Readers
Smart Card Readers
Cherry G83-6742 Keyboard Integrated Card Reader
(80)
Average48
Gemplus GemPC410 46
Schlumberger Reflex 72 (39)
Schlumberger Reflex USB (39)
Gemplus GemPC400 (58)
Towitoko ChipDrive micro 100 (40)
Gemplus USB(34)
8
Demo Part I

• Certificate Enrollment, S/MIME, Two Factor
  Authentication
• User certificate request using Authenex smart
  token
• Local login on Windows workstation using
  CyberFlex smartcard
• Authentication to RA web app using CyberFlex
  smartcard
• Digital signature of certificate request using
  CyberFlex smartcard
• Download a user certificate onto Authenex smart
  token
• Configure Outlook to use secure e-mail
• Send a digitally signed e-mail
• Send a digitally signed and encrypted reply with
  XML form attached
• Process a digitally signed XML form
• Legend Frank, Bahaa

9
Demo Part II

• File Encryption, SSH, Solaris and Linux
  Apps
• Local file encryption on Windows w/Authenex smart
  token
• Windows workstation lock/unlock w/CyberFlex
  smartcard
• SSH remote login to Linux server w/CyberFlex
  smartcard
• Local login on Linux workstation w/VME BioDrive
  token
• Accessing secure web pages w/eToken
• Local login on Solaris workstation w/CyberFlex
  smartcard
• Legend Frank, Bahaa

10
Time for the Demo

• Strong Technologies Demo

11
Smart Cards and Tokens

• Two Factor Authentication
• Onboard Key Generation FIPS 140-1 Level 1
• Programmable Javacard 2.x
• Toolkit for Java Applet Development
• Client Software Management Utility
• Card reader or USB Interface
• Support for Multiple Applications
• PKCS11 and CryptoAPI APIs
• Portability
• Rapidly Changing Technology

12
Symmetric Key Cryptography

• Same key is used for encryption and decryption
• Key needs to be kept secret from all except
  sender and receiver

Key
Key
Sarbari Gupta
13
Public Key Cryptography

• Every entity has a key pair - a public key and a
  private key
• Public key is widely distributed
• Private key held closely by key owner
• Private key cannot be calculated from public key
• Public key used for encryption - private key used
  for decryption
• Private key used to sign - public key used for
  signature verification

Public Key
Private Key
Sarbari Gupta
14
Public Key Encryption

• The sender uses the intended recipients Public
  Key, which is public knowledge, to encrypt the
  document.
• Only the intended recipient can decrypt the
  document, because only the intended recipient has
  the required Private Key.

Sarbari Gupta
15
Digital Signature - Generation

• The Hashing algorithm creates the message digest
  from the original document
• The Public Key Digital Signature Algorithm uses
  the message digest and the
• signers private key to generate the digital
  signature

Sarbari Gupta
16
Digital Signature - Verification
The Public Key Digital Signature Algorithm
requires the presence of the message digest, the
digital signature as well as the signers public
key in order to verify the signer and integrity
of the document
Sarbari Gupta
17
Trusting Public Keys of Peers

• How can Alice tell if she has the correct public
  key for Bob ?
• Need a mechanism to trust the pairing of public
  keys and their owners

Message Scrambled using Bobs public key

• Obtain Bobs public key
• Establish trust in Bobs public key
• Encrypt message using Bobs public key

• Use Bobs private key to unscramble message

Sarbari Gupta
18
Public Key Certificate

• Vouching by a Certification Authority (CA) of the
  binding between a subscribers identity and
  their public key
• Relying parties that trust the CA can verify that
  the public key belongs to the subscriber
• When the binding needs to be undone, the
  certificate is revoked
• Certificate Revocation List (CRL)
• OCSP

Sarbari Gupta
19
PKI Architectural Entities

• Certification Authority
• Trusted Entity
• Generates and Revokes Public Key Certificates
• Publishes Public Key Certificates and Certificate
  Revocation Lists in Directory Servers

Security Policy and Practices Documents
Relying Party Attempts to establish trust in
subscribers public key

• Organization Registration Authority
• Trusted entity
• Verifies and vouches for the identity of users
• Generates / Approves Requests for Issuance of a
  Public Key Certificate

• Subscriber
• Obtains public key certificate from CA
• Uses private key to interact securely with the
  Relying Party

Sarbari Gupta
20
Issues in PKI Deployment

• Distribution Certificates and CRLs need to be
  distributed to subscribers and relying parties
• Directory - used to store and retrieve
  certificates and CRLs
• Key Recovery Mechanisms that provide emergency
  access to encrypted data when the encryption keys
  are unavailable
• Certificate Policy Certification Practices
  Statement
• Operating Procedures
• Liabilities, Warranties Service Level
  Agreements

Sarbari Gupta
21
Open Discussion

• How does it impact us?

22
Resource Links
Schlumberger
MuscleCard
http//www.cardstore.slb.com
http//www.musclecard.com
Gemplus
Dallas Semiconductor
http//store.gemplus.com
http//www.ibutton.com SCM
Microsystems
Meganet Corporation
http//www.scmmicro.com
http//www.meganet.com Towitoko

Omnikey
http//www.towitoko.com
http//www.omnikey.com Advanced
Card Systems
Athena Smartcard Solutions
http//www.acs.com.hk
http//www.athena-scs.com HID
Corporation
Authenex http//www.hidcorp.com

http//www.authenx.com